Description: Sanity check strings too long
 XSS bug if you send >64kB long comments
Author: pento@wordpress.org
Origin: backport, https://core.trac.wordpress.org/log/branches/4.2?rev=32311&stop_rev=32300
Bug: https://bugs.debian.org/783347
Applied-Upstream: 4.2.1
Last-Update: 2015-04-28
---
This patch header follows DEP-3: http://dep.debian.net/deps/dep3/
--- a/wp-includes/wp-db.php
+++ b/wp-includes/wp-db.php
@@ -1506,11 +1506,20 @@
 	 */
 	protected function process_fields( $table, $data, $format ) {
 		$data = $this->process_field_formats( $data, $format );
+		if ( false === $data ) {
+			return false;
+		}
+
 		$data = $this->process_field_charsets( $data, $table );
 		if ( false === $data ) {
 			return false;
 		}
 
+		$data = $this->process_field_lengths( $data, $table );
+		if ( false === $data ) {
+			return false;
+		}
+
 		$converted_data = $this->strip_invalid_text( $data );
 
 		if ( $data !== $converted_data ) {
@@ -1593,6 +1602,40 @@
 
 
 	/**
+	 * For string fields, record the maximum string length that field can safely save.
+	 *
+	 * @since 4.2.1
+	 * @access protected
+	 *
+	 * @param array  $data  As it comes from the wpdb::process_field_charsets() method.
+	 * @param string $table Table name.
+	 * @return array|False The same array as $data with additional 'length' keys, or false if
+	 *                     any of the values were too long for their corresponding field.
+	 */
+	protected function process_field_lengths( $data, $table ) {
+		foreach ( $data as $field => $value ) {
+			if ( '%d' === $value['format'] || '%f' === $value['format'] ) {
+				// We can skip this field if we know it isn't a string.
+				// This checks %d/%f versus ! %s because it's sprintf() could take more.
+				$value['length'] = false;
+			} else {
+				$value['length'] = $this->get_col_length( $table, $field );
+				if ( is_wp_error( $value['length'] ) ) {
+					return false;
+				}
+			}
+
+			if ( false !== $value['length'] && mb_strlen( $value['value'] ) > $value['length'] ) {
+				return false;
+			}
+
+			$data[ $field ] = $value;
+		}
+
+		return $data;
+	}
+
+	/**
 	 * Retrieve one variable from the database.
 	 *
 	 * Executes a SQL query and returns the value from the SQL result.
@@ -1907,6 +1950,77 @@
 	}
 
 	/**
+	 * Retrieve the maximum string length allowed in a given column.
+	 *
+	 * @since 4.2.1
+	 * @access public
+	 *
+	 * @param string $table  Table name.
+	 * @param string $column Column name.
+	 * @return mixed Max column length as an int. False if the column has no
+	 *               length. WP_Error object if there was an error.
+	 */
+	public function get_col_length( $table, $column ) {
+		$tablekey = strtolower( $table );
+		$columnkey = strtolower( $column );
+
+		// Skip this entirely if this isn't a MySQL database.
+		if ( false === $this->is_mysql ) {
+			return false;
+		}
+
+		if ( empty( $this->col_meta[ $tablekey ] ) ) {
+			// This primes column information for us.
+			$table_charset = $this->get_table_charset( $table );
+			if ( is_wp_error( $table_charset ) ) {
+				return $table_charset;
+			}
+		}
+
+		if ( empty( $this->col_meta[ $tablekey ][ $columnkey ] ) ) {
+			return false;
+		}
+
+		$typeinfo = explode( '(', $this->col_meta[ $tablekey ][ $columnkey ]->Type );
+
+		$type = strtolower( $typeinfo[0] );
+		if ( ! empty( $typeinfo[1] ) ) {
+			$length = trim( $typeinfo[1], ')' );
+		} else {
+			$length = false;
+		}
+
+		switch( $type ) {
+			case 'binary':
+			case 'char':
+			case 'varbinary':
+			case 'varchar':
+				return $length;
+				break;
+			case 'tinyblob':
+			case 'tinytext':
+				return 255; // 2^8 - 1
+				break;
+			case 'blob':
+			case 'text':
+				return 65535; // 2^16 - 1
+				break;
+			case 'mediumblob':
+			case 'mediumtext':
+				return 16777215; // 2^24 - 1
+				break;
+			case 'longblob':
+			case 'longtext':
+				return 4294967295; // 2^32 - 1
+				break;
+			default:
+				return false;
+		}
+
+		return false;
+	}
+
+	/**
 	 * Check if a string is ASCII.
 	 *
 	 * The negative regex is faster for non-ASCII strings, as it allows
